b'                        UN ITED STATES DEPARTMENT O F ED UCATI ON\n\n                                           OFFICE OF INSPECTOR GENERAL\n\n\n\n                                                       OCT 3 1 2002\n\n\n\n                                                                                                CONTROL NUMBER\n                                                                                                 ED-O IGI A 19-C0006\n\nTheresa S. Shaw, Chief Operating Officer\nFederal Student Aid\nU.S. Department of Education\n830 First Street, NE\nWashington, DC 20202\n\nDear Ms. Shaw:\n\nThis Final Audit Report (Control Number ED-OIG/A 19-C0006) presents the results of\nour audit of the Department of Education\'s controls over the access, disclosure, and use\nof Social Security Numbers (SSNs) by third parties.\n\nStatements that managerial practices need improvements, as well as other conclusions\nand recommendations in this report, represent the opinions of the Office of Inspector\nGeneral. Detem1inations of corrective action to be taken will be made by appropriate\nDepartment of Education officials.\n\nIn accordance with the Freedom of Information Act (5 U.S.c. \xc2\xa7 552), reports issued by\nthe Office of Inspector General are available, if requested, to members of the press and\ngeneral public to the extent infomlation contained therein is not subject to exemptions in\nthe Act.\n\n\n                                             BACKGROUND\nThe Social Security Administration created the Social Security Number (SSN) in 1936 as\na means of tracking workers\' earnings and eligibility for Social Security benefits. Over\nthe years, the SSN has become a national identifier Llsed by Federal agencies, State and\nlocal governments, and private organizations. Due to concerns related to sharing of\npersonal information and identity theft, Congress asked the General Accounting Office\n(GAO) to study how and to what extent, Federal, State and local government agencies\nuse individuals\' SSNs and how these entities safeguard records or documents containing\nthose SSNs. The Chairman of the House Ways and Means Subcommittee on Socia l\nSecurity asked the Social Security Administration, Office of Inspector General, and the\n\n\n                               400 M ARYLAND AVE., S. W. WASH1NGTO N, D.C. 20202 \xc2\xb7 1510\n\n       Our mission is!O ensure equal access to oou.cntion a nd   10   pronwte educational exceUence throughout the Nalion.\n\x0cMs. Theresa S. Shaw\t                                                              Page 2 of 9\n\n\n\n\nPresident\xe2\x80\x99s Council on Integrity and Efficiency (PCIE) to review the way Federal\nagencies disseminate and control the SSN. The Offices of Inspector General (OIG) for\nseveral agencies participated in this review.\n\nA standardized audit approach was developed for all participating agencies based on a\nGAO survey conducted in August 2001. GAO sent questionnaires to officials of Federal\nprograms that were likely to routinely collect, maintain, and use individuals\xe2\x80\x99 SSNs. GAO\nasked each agency to complete questionnaires for five program areas. Each OIG\nparticipating in the PCIE effort was asked to conduct an in-depth review of one of the\nprograms for which a questionnaire was completed. The Department of Education\n(Department) completed questionnaires for the following areas: Direct Loan\nOriginations, Pell Grant Program, Federal Student Aid Collections, Education Central\nAutomated Processing System/Grants and Administration Payment System\n(EDCAPS/GAPS), and Rehabilitation Services. We selected the Pell Grant Program for\nthe PCIE review since the Department reported the highest number of SSNs in that\nprogram.\n\nThe objectives were to determine whether each agency:\n\n    1. \t Makes legal and informed disclosures of SSNs to third parties;\n    2. \t Has appropriate controls over contractors\xe2\x80\x99 access and use of SSNs;\n    3. \t Has appropriate controls over other entities\xe2\x80\x99 access and use of SSNs; and\n    4. \t Has adequate controls over access to individuals\xe2\x80\x99 SSNs maintained in its \n\n         databases. \n\n\n\n                                  AUDIT RESULTS\nOur audit was limited to review of the Pell Grant program and the Recipient Financial\nManagement System (RFMS). We determined that the only disclosures of SSNs to third\nparties from the RFMS were to Federal Student Aid (FSA) contractors. As such, the\nthird objective regarding access by other entities was not applicable. (See the Objectives,\nScope, and Methodology section of this report for the definition of a disclosure\nestablished for this review and the audit scope. See also Attachment 1 for details on the\nflow of SSNs through the Pell Grant system.)\n\nWe found that in general, the Department made legal and informed disclosures of SSNs.\nWe found that improvements were needed in the Department\xe2\x80\x99s controls over contractors\xe2\x80\x99\naccess to and use of SSNs, and in controls over access to individuals\xe2\x80\x99 SSNs maintained in\nthe RFMS.\n\nThe Department responded to our draft report, concurring with the finding and all\nrecommendations provided. The Department also described specific corrective actions\n\x0cMs. Theresa S. Shaw\t                                                               Page 3 of 9\n\n\n\n\nthey have taken and intend to take to address the issues noted. The full text of the\nDepartment\xe2\x80\x99s response is included as Attachment 2 to this audit report.\n\n\nFinding No. 1 \t        Improvements Are Needed in Monitoring of FSA Contractor\n                       Access, Disclosure and Use of Social Security Numbers.\n\nOur audit revealed FSA staff did not adequately monitor the RFMS contractor\xe2\x80\x99s\nperformance to ensure that SSNs were appropriately safeguarded. Specifically, we found\nthat FSA staff did not confirm whether the RFMS contractor provided Privacy Act\ntraining for contractor personnel as required, and whether all contractor staff with access\nto the RFMS were still currently employed by the contractor.\n\nWe also found that FSA did not maintain a current listing of RFMS users. During our\nreview, FSA staff provided us with a listing of staff with access to the system, but they\nstated that the listing needed to be updated. FSA staff further stated that the RFMS\ncontractor previously provided regular reports of all current users, but that such a report\nhad not been provided since June 2002.\n\nThe Privacy Act of 1974, (5 U.S.C. \xc2\xa7 552a, as amended), provides requirements on the\nprotection of personal information. Sections (e)(9) and (e)(10) of the Act require\nagencies to:\n\n         [E]stablish rules of conduct for persons involved in the design,\n        development, operation, or maintenance of any system of records, or in\n        maintaining any record, and instruct each such person with respect to such\n        rules and the requirements of this section, including any other rules and\n        procedures adopted pursuant to this section and the penalties for\n        noncompliance.\n\n        [E]stablish appropriate administrative, technical and physical safeguards\n        to insure the security and confidentiality of records and to protect against\n        any anticipated threats or hazards to their security or integrity which could\n        result in substantial harm, embarrassment, inconvenience, or unfairness to\n        any individual on whom information is maintained.\n\nSection (m)(1) of the Privacy Act requires agencies to include compliance with the\nPrivacy Act in contracts for the operation of a system of records. Likewise, the Federal\nAcquisition Regulation (FAR) \xc2\xa7 24.102(a) states that the Privacy Act:\n\n        [R]equires that when an agency contracts for the design, development, or\n        operation of a system of records on individuals on behalf of the agency to\n        accomplish an agency function the agency must apply the requirements of\n        the Act to the contractor and its employees working on the contract.\n\x0cMs. Theresa S. Shaw                                                               Page 4 of 9\n\n\n\n\nThe Department\xe2\x80\x99s Directive (Directive), C:GPA 2-110, \xe2\x80\x9cContract Monitoring for\nProgram Officials,\xe2\x80\x9d dated January 12, 1987, establishes internal standards and guidelines\nin conducting day-to-day contact monitoring. The Directive states:\n\n        It is the policy of the Department of Education (a) to monitor every\n        contract to the extent appropriate to provide reasonable assurance that the\n        contractor performs the work called for in the contract, and (b) to develop\n        a clear record of that performance and the Department\xe2\x80\x99s efforts in\n        monitoring it. (Section II, page 2 of the Directive)\n\n        Contract monitoring is conducted by the Government to ensure that the\n        contractor performs according to the specific promises and agreements\n        that make up the contract. (Section VIII.A, page 10 of the Directive)\n\n        Site visits may be advisable for particularly complex contracts, for those\n        known to be experiencing performance difficulties, or for any contract\n        where it would be good to demonstrate the Government\xe2\x80\x99s interest or concern\n        for successful performance. (Section H.1, page 22 of the Directive)\n\nThe RFMS contract Statement of Work, Section 5.8.3, Computer Security and Privacy\nAct Training, states that the contractor shall:\n\n        Provide formal classroom instruction for contractor personnel and\n        packaged instruction for Department of Education staff prior to system\n        start-up\xe2\x80\xa6.Give computer security and Privacy Act refresher training\n        annually to meet the requirements identified in the Computer Security Act\n        of 1987.\n\nWe found that FSA included the requirements of the Privacy Act in the RFMS contract\nand established rules of conduct for the system. However, FSA staff did not conduct site\nvisits or otherwise verify that the contractor was complying with the Privacy Act\nrequirements. For example, FSA did not monitor contractor activities to ensure that\ntraining was provided as required. FSA staff did not receive copies of training records or\ncertifications from the contractor that training had taken place to confirm that these\nrequirements were being met. In fact, annual refresher training had not been provided\nsince November 2000. We also found that FSA staff did not maintain a current listing of\nRFMS users or validate such a listing to ensure all users were appropriately trained and\nwere still employed by the contractor.\n\nAs a result, FSA does not have assurance that contractor staff with access to SSNs and\nother personal information in the RFMS are aware of Department policies and procedures\nand Federal laws prohibiting the disclosure of such information. FSA also does not have\nassurance that contractor staff with access to the system are still current employees.\n\x0cMs. Theresa S. Shaw\t                                                               Page 5 of 9\n\n\n\n\nRecommendations:\n\nWe recommend that the Chief Operating Officer for Federal Student Aid take actions to\nensure:\n\n1.1 \t   FSA staff appropriately monitor contractor operations to ensure that training is\n        provided to contractor staff as required.\n\n1.2 \t   FSA staff receive copies of training records or certifications from the contractor\n        on a regular basis and periodically reconcile this information with user listings to\n        ensure all users are appropriately informed of their responsibilities and the\n        prohibitions against disclosure of SSNs and other information.\n\n1.3 \t   FSA maintains a current listing of RFMS users and periodically validates the\n        listing of RFMS users to ensure that all staff with access to the system are current\n        employees, and that access is canceled timely for staff that have separated.\n\n1.4 \t   FSA review other contracts with Privacy Act provisions to ensure that those\n        contracts are appropriately monitored for compliance with Privacy Act\n        requirements.\n\n\n                OBJECTIVE, SCOPE, AND METHODOLOGY\nThe objectives of our audit were to determine whether the Department:\n\n    1. \t Makes legal and informed disclosures of SSNs to third parties;\n    2. \t Has appropriate controls over contractors\xe2\x80\x99 access and use of SSNs;\n    3. \t Has appropriate controls over other entities\xe2\x80\x99 access and use of SSNs; and\n    4. \t Has adequate controls over access to individuals\xe2\x80\x99 SSNs maintained in its \n\n         databases. \n\n\nFor the purpose of this audit, disclosure of SSNs was defined as new information\nprovided to a third party, whether it be another Government agency, a contractor, or an\noutside organization. If a third party first sends a file of SSNs to the agency, the agency\nmatches those SSNs against its records to determine eligibility or some other information,\nand sends the additional information back to the third party, that process is not considered\na disclosure for the purposes of our audit. For example, the exchange of information\nbetween educational institutions and the RFMS is not considered a disclosure, since the\ninstitutions provide the SSN with records initially sent to RFMS. Applying this criterion,\nwe determined that SSNs were not disclosed from the RFMS to entities other than\ncontractors. As such, the third objective of this audit did not apply to the scope of our\n\x0cMs. Theresa S. Shaw                                                             Page 6 of 9\n\n\n\n\naudit. See Attachment 1 for further details on the flow of SSNs through the Pell Grant\nsystem.\n\nIn selecting a program to review, we performed an analysis of the Department\xe2\x80\x99s\nresponses to the GAO questionnaire for Direct Loan Originations, Pell Grant Program,\nFederal Student Aid Collections, EDCAPS/GAPS, and Rehabilitation Services. We\nevaluated the Department\xe2\x80\x99s responses regarding the volume of records stored on\ncomputer systems, the disclosure of SSN information to third parties, the number of\nprivate contractors who have access to SSN information, computer network access by\nthird parties, and the number of separate computer systems that contain SSNs. We\nselected the Pell Grant Program for further review based on the Department\xe2\x80\x99s report of\napproximately 50 million SSNs in the system. This amount far exceeded those reported\nfor the other programs. The other factors reviewed did not differ significantly among the\nfive programs.\n\nThe scope of our audit was calendar year 2001. We did not review the Common\nOrigination and Disbursement system that is now used for the Pell Grant Program, as that\nsystem had not been implemented during the audit period.\n\nTo accomplish our objectives, we conducted interviews with FSA staff responsible for\nthe operation and security of the Pell Grant system. We reviewed the Privacy Act of\n1974, Federal Acquisition Regulation, and Departmental policies and procedures on the\nprotection and use of Privacy Act information and on the requirements for contract\nmonitoring. We reviewed the general terms and conditions for the contracts for\ndevelopment and operation of the RFMS to determine the requirements regarding access\nto and disclosure of SSNs. We also reviewed the Department\xe2\x80\x99s Privacy Act System of\nRecords notices for RFMS and other related FSA systems. We reviewed disclosures of\nthe uses of data made on the Free Application for Federal Student Aid (FAFSA) form and\nthe FAFSA electronic form on FSA\xe2\x80\x99s website. We reviewed computer-matching\nagreements with other Federal agencies, as well as risk assessments and security reviews\nconducted of the RFMS and of the Virtual Data Center where RFMS data is stored. We\ndid not rely upon computer-processed data in conducting our audit.\n\nWe performed our fieldwork at applicable Department of Education offices in\nWashington, DC, during the period April 2, 2002, through September 18, 2002. We held\nan exit conference with Department officials on September 18, 2002. We performed our\naudit in accordance with generally accepted government auditing standards appropriate to\nthe scope of the review described above.\n\x0cMs. Theresa S. Shaw                                                                 Page 7 of 9\n\n\n\n\n              STATEMENT ON MANAGEMENT CONTROLS \n\nWe made a study and evaluation of Federal Student Aid\xe2\x80\x99s management control structure\nover the access, disclosure, and use of Social Security Numbers by third parties. Our\nreview was limited to evaluation of the Pell Grant system operations during the period of\nour review. Our study and evaluation was conducted in accordance with generally\naccepted government auditing standards.\n\nFor the purpose of this report, we assessed and classified the significant management\ncontrol structure into the following categories:\n\n\xe2\x80\xa2   Disclosure of SSNs to third parties,\n\xe2\x80\xa2   Contractors\xe2\x80\x99 access and use of SSNs, and\n\xe2\x80\xa2   Access to SSNs in the Department\xe2\x80\x99s RFMS database.\n\nDepartment management is responsible for establishing and maintaining a management\ncontrol structure. In fulfilling this responsibility, estimates and judgments by\nmanagement are required to assess the expected benefits and related costs of control\nprocedures. The objectives of the system are to provide management with reasonable,\nbut not absolute, assurance that assets are safeguarded against loss from unauthorized use\nor disposition and that the transactions are executed in accordance with management\'s\nauthorization and recorded properly, so as to permit effective and efficient operations.\n\nBecause of inherent limitations in any management control structure, errors, or\nirregularities may occur and not be detected. Also, projection of any evaluation of the\nsystem to future periods is subject to the risk that procedures may become inadequate\nbecause of changes in conditions, or that the degree of compliance with the procedures\nmay deteriorate.\n\nOur assessment disclosed conditions in the Department\'s management control structure\nover disclosure of SSNs to contractors, which, in our opinion, result in more than a\nrelatively low risk that errors, irregularities, and other inefficiencies may occur resulting\nin inefficient and/or ineffective performance. We noted a weakness with respect to the\nDepartment\xe2\x80\x99s monitoring of contractor\xe2\x80\x99s access to, disclosure, and use of SSNs, and in\ncontrols over access to individuals\xe2\x80\x99 SSNs in the RFMS. These weaknesses are discussed\nin the Audit Results section of this report.\n\n\n                         ADMINISTRATIVE MATTERS\nPlease provide the Supervisor, Post Audit Group, Office of the Chief Financial Officer\nand the Office of Inspector General with quarterly status reports on promised corrective\nactions until all such actions have been completed or continued follow-up is unnecessary.\n\x0cMs. Theresa S. Shaw                                                           Page 8 of9\n\n\n\n\nWe appreciate the cooperation provided to us during this review. Should you have any\nquestions concerning this report, please call Michele Weaver-Dugan at (202) 863-9526.\nPlease refer to the control number in all correspondence related to the report.\n\n\n                                Sincerely,\n\n\n                                f(f~l~w \n\n                                Helen Lew\n                                Acting Assistant Inspector General for Audit Services\n\x0cMs. Theresa S. Shaw\t                                                             Page 9 of 9\n\n\n\n\n                                                                            Attachment 1\n\n\n                       The Flow of Social Security Numbers (SSNs)\n                             through the Pell Grant System\n\n\n\xe2\x80\xa2 \t Applicant SSNs are originally provided on the Free Application for Federal Student\n    Aid (FAFSA) Application Processing System. The Recipient Financial Management\n    System (RFMS) receives the SSNs for eligible Pell recipients via the Eligible\n    Applicant File from the Central Processing System (CPS).\n\n\xe2\x80\xa2 \t The Federal Pell Grant program does not directly make disclosures to eligible\n    applicants of the uses of their personal information. Such disclosures do appear on\n    the FAFSA forms (paper and electronic), Privacy Act Systems of Records notices,\n    and Federal Register. These notices are applicable to all Title IV applicants,\n    including Pell eligible applicants.\n\n\xe2\x80\xa2 \t Institutions send origination records to RFMS. These origination records include\n    students\xe2\x80\x99 SSNs and institutions\xe2\x80\x99 determinations of the Pell award amount. Original\n    SSNs are matched to the eligible applicant data provided previously to RFMS by\n    CPS. RFMS processes the data received from the institution and then provides the\n    institution with an acknowledgment indicating that the record has been accepted,\n    corrected, or rejected.\n\n\xe2\x80\xa2 \t Once origination records have been accepted, institutions disburse funds to the\n    students and transmit disbursement records to RFMS for processing. Again, students\xe2\x80\x99\n    SSNs are provided to RFMS by institutions in disbursement records. RFMS matches\n    the information provided by institutions to the previously received origination records\n    and transmits acknowledgements back to institutions.\n\n\xe2\x80\xa2 \t Upon request by an institution, a year-to-date summary of originations and\n    disbursements information that the institution previously sent to RFMS will be\n    provided. This file includes only accepted and/or corrected records previously sent\n    by the institution.\n\x0c                                                                                     Attachment 2\n                  UNITED STATES DEPARTMENT OF EDUCATION\n                              ST UDENT FINANCIAL ASSISTANCE \n\n                               WASffi NGTON, D,C, 20202- 5 132 \n\n\n                                                                            CHIEf\' OPERATING OFFICER\n\n\n\n\n                                                                                      OCT 2 3 2002\nMs. Michele Weaver-Dugan\nDirector, Operations Internal Audit Team\nU.S. Department of Education\nOffice of Inspector General\n400 Maryland A venue, S. W.\nWashington, DC 20202-1600\n\nDear Ms. Weaver-Dugan:\n\nThank you for the opportunity to review and comment on the draft audit report (Control\nNumber ED-OIG/AI 9-C0006) that presents the results of your audit of the Department of\nEducation \' s "Controls over the Access, Disclosure, and Use of Social Security Numbers\n(SSNs) by Third Parties." Specifically, your audit finding and the recommendations\npertain to your audit of the Federal Pell Grant program and the Recipient Financial\nManagement System (RFMS) administered by the Department\'s Federal Student Aid\nprogram.\n\nWe concur with the finding and the four recommendations identified in the report. The\nattachment provides the Department\' s response to each recommendation. We used your\nreport to assist us in improving our controls over Social Security Number access,\ndi sclosure, and release.\n\nAgain, we appreciate the opportunity to review and comment on the draft report.\n\n\n\n\n                                                          Theresa S. Shaw\n\ncc: \t Kathleen Wicks\n      Rosemary Beavers\n\n\n\n\n                               We help pul " me rlco Ihrough schooL\n\x0c                        Response to OIG Draft Audit Report \n\n                     Audit of Controls over the access, disclosure, \n\n                     And use of Social Security Numbers (SSNs) \n\n                                   by third parties \n\n\n\nOffice of Inspector General (OIG) draft report section:\n\nOIG Finding No. I:\n\nImprovements are needed in monitoring of FSA Contractor Access, Disclosure and\nUse of Social Security Numbers.\n\nDIG Recommendation 1.1: Ensure FSA staffappropriately monitor contractor\noperations to ensure thar training is proVided fa contractor staffas required.\n\nFSA Response: We concur. The Contractor has scheduled Privacy Act training for\nOctober 24, 2002. Once the training is completed, the Systems Security Officer (SSO)\nwill obtain a report from the contractor. The SSO will monitor the contractor more\nclosely and receive compliance reports on a monthly basis for the full tenn of the\ncontract. The RFMS contract is scheduled to end this fiscal year. We wi ll ensure lhallhe\nSSO for the Common Origination and Disbursement (COD) contract, which replaces\nRFMS, compl ies with the Privacy Ac t and Departmental Directive C: GPA 2-110,\n"Contract Monitoring for Program Officials" and appropriately monitors contractor\noperations to ensure that training is provided to con tractor staff.\n\nDIG Recommendation 1.2: Ensure FSA staffreceive copies oftraining records or\ncertifications from the contractor 011 a regular basis and periodically reconcile this\ninformation with user listings to ensure aI/users are appropriately informed oftheir\nresponsibilities and the prohibitions against disclosure ofSSNs and other information.\n\nFSA Response: We concur. On October 24,2002, the Contractor has scheduled Privacy\nAct training that wi ll appropriately infonn a ll users of their responsibi lities and\nprohibitions against disclosure of SSNs and other infomlation. The Contractor will\nsubmit training records or certifications of training upon completion of this training. The\nRFMS contract is sc hedu led to end this fiscal year. We will ensure that the SSO for the\nCOD contract monitors the contract more closely and on a monthly basis, and reconciles\nthe train ing records with the user li sting.\n\nDIG Recommendation 1.3: Ensure FSA maintains a cllrrent listing ofRFMS users and\nperiodically validates the listing ofRFMS lIsers to ensllre that all staff lVith access to the\nsystem are current employees. and tho! access is canceled timely for staff that have\nseparated.\n\x0cFSA Response: We concur. In October 2002, the SSO reviewed and validated the li sting\nof RFMS users to ensure that they are curre nt employees. The SSO confirmed that\naccess was canceled for employees who separated. The RFMS contract is schedu led to\nend this fiscal year. We will ensure the SSO for the COD contract reviews and validates\nlistings on a monthly basis and removes employees upon notification of separation.\n\nOIG Recommendation 1.4: Ensure FSA review other contracts with Privacy Act\nprovisions to ensure rhat those contraCls are appropriately monitored/or compliance\nwith Privacy Act requiremenrs.\n\nFSA Response: We concur. We will have SSO\'s review all current contracts with\nPrivacy Act provisions to ensure that they are appropriately monitored for compliance\nwith Pri vacy Act requirements.\n\x0c'